Nginx优化HTTPS之OCSP
本nginx配置是域名dev.api.dajxyl.com的
nginx
配置
server{
listen 443 ssl;
server_name dev.api.dajxyl.com;
# ssl on;
ssl_certificate /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.api.dajxyl.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# 开启 OCSP Stapling ---当客户端访问时 Nginx 将去指定的证书中查找 OCSP 服务的地址,获得响应内容后通过证书链下发给客户端。
ssl_stapling on;
# 启用OCSP响应验证,OCSP信息响应适用的证书
ssl_stapling_verify on;
# 指向CA的根证书
ssl_trusted_certificate /etc/letsencrypt/live/dev.api.dajxyl.com/fullchain.pem;
#添加resolver解析OSCP响应服务器的主机名,valid表示缓存。
resolver 8.8.8.8 8.8.4.4 valid=36000s;
# resolver_timeout表示网络超时时间
resolver_timeout 5s;
include enable-php.conf;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/home/www/:/tmp/:/proc/";
root /home/www/dajx-api/web;
index index.html index.php;
access_log /home/wwwlogs/dajx-api.access.log;
error_log /home/wwwlogs/dajx-api.error.log;
location / {
try_files $uri $uri/ /index.php?$args;
}
}
- 由于
ocsp.int-x3.letsencrypt.org
的 cname 域名a771.dscq.akamai.net
受到了干扰,可以采用本地修改hosts的方案进行临时处理。 编辑/etc/hosts
增加23.32.3.72 ocsp.int-x3.letsencrypt.org